How to prevent tomcat session hijacking?

Question

In my web.xml I\'ve defined a user-data-constraint for some resources:

Answer 1

I think it works like this by design. You can't base your access control on session. You need to use other parameters. You need to add authentication and use role-based control.

In Tomcat, there is protection but exactly opposite. If you get a session in secure area, that session is not transfered to unprotected area. Tomcat achieves this by setting "secure" flag on the cookie so the cookie is not sent to the HTTP connections.